When CCPA Doesn't Apply

When an Organization Is Not a “Business”

The first dividing line that determines whether the CCPA applies is the law’s definition of a “business,” because only businesses are required to be in compliance. Under the CCPA, a business is a for-profit entity that collects consumers’ personal information, does business in California, and meets at least one of these criteria:

  • Has annual gross revenues in excess of $25 million
  • Annually buys, sells, shares, or receives the personal information of at least 50,000 consumers, devices, and households
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

Using this definition, the CCPA does not apply to many companies because they do not meet these threshold requirements. Also, because of the for-profit requirement, the CCPA does not apply to government entities or most nonprofits. Some nonprofits may still be bound by the data privacy law if they share common branding with and are controlled by a business to which the CCPA applies.

Learn more about which businesses must comply with the CCPA.

California Residents Only

It doesn’t matter where a company is based out of; as long as it meets the CCPA’s definition of a business, it can be located on the other side of the world. However, the CCPA only protects California residents. A resident is any person who is in the state of California for more than a temporary or transitory purpose, or a person who is temporarily outside the state if their permanent domicile is in California.

For example, if a Los Angeles-based business collects and shares the personal information of a New York resident, the CCPA does not apply to that activity. Conversely, the CCPA does apply when a New York-based business collects the information of a Californian. Businesses should also take note that they cannot deny a CCPA privacy request just because it originated outside of California; if a person has their permanent home in California, they retain residency and their privacy rights even when they temporarily leave the state.

Learn more about who has rights under the CCPA.

No Personal Information Involved

A key aspect of the CCPA is that it only applies to “personal information.” This term is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This can include everything from IP addresses to credit card numbers to geolocation data. As broad as this definition is, it doesn’t cover everything.

The biggest exception is that publicly available information is not personal information. “Publicly available” means the information was lawfully made available from federal, state, and local government records. Effective January 1, 2023, the California Privacy Rights Act (CPRA) adds two new types of publicly available information. The first is for “lawfully obtained, truthful information that is a matter of public concern.” This provides a necessary exemption for journalism. The other new category of publicly available information is information that is made widely available by the consumer or widely distributed media. This frees businesses to collect consumer information that is publicly shared on social networks.

The second exception is for deidentified or aggregate consumer information. This exception applies when it is not possible to link the information to a particular consumer or household. For example, if a business collects usage statistics on how many consumers visit their homepage, but these statistics can’t be used to identify individuals, it is not personal information and the CCPA does not apply.

Learn more about what is personal information under the CCPA.

When Other Laws and Regulations Apply

When it comes to data protection and privacy, some industries are already regulated by state and federal law. The CCPA exempts data to which these laws apply, to avoid conflicting rules and obligations. These laws include:

The Health Insurance Portability and Accountability Act (HIPAA) – HIPAA typically relates to medical information, and already provides for the confidentiality and security of this data. The CCPA therefore does not apply to many healthcare providers and related businesses, at least to the extent the data collected is covered by HIPAA.

The Gramm-Leach-Bliley Act (GLBA) – The GLBA applies to banks and other financial institutions, and includes rules about how they must treat nonpublic personal information about their consumers. The CCPA does not apply to personal data that is already subject to the GLBA.

The Fair Credit Reporting Act (FCRA) – The FCRA deals with information that is collected and supplied to credit reporting agencies for the purpose of performing background checks. If the data is already covered by the FCRA, then the CCPA doesn’t apply.

Learn more about CCPA exemptions for HIPAA, the GLBA, and the FCRA.

CCPA Compliance for Your Business

The CCPA is a complex law, and its numerous rules and exceptions can be overwhelming for businesses looking for the simplest path to compliance. TrueVault Polaris is an automated CCPA compliance tool that takes all of these rules into account and guides your business step by step through the whole process.

Learn more about how TrueVault Polaris can get your business CCPA compliant in less time and at a lower cost. Contact our team today.

Schedule Call